Gemalto at W3C: two observations on security standards and the web

We previously blogged about the season of workshops that was coming up this Fall with the W3C. This is a follow up post, with our impressions of the top areas of discussion at the events we attended in Paris and Mountain View.

The web needs users to take active security decisions

The Paris workshop gathered some major players from around the web: 20 or so people, including security architects from Google, Mozilla, Apple, Microsoft, Sony, Qualcomm and General Motors, covered a range of issues. Foremost amongst them was trying to find a way to consistently capture user consent. For example, when web applications try to access sensitive information, such as calendar information, access to the camera, or location data – how do we simplify and standardize the way users give permission for these things to occur?

Photo of the Paris group: courtesy of Jonathan Jeon

Suggested solutions involved a combination of security, user experience mapping and service design. When talking about capturing and maintaining user consent, trust associated with that consent was a key factor – why should you consent? A trusted user interface (to avoid malware that tries to trick users) AND “signed” web applications to validate issuer identity (i.e. it is PayPal you’re dealing with) were key possible options for improving the trust model of the web. This is an active workstream within the W3C and news will follow as we make progress.

Diagram: courtesy of Adrienne Porter Felt

The web platform needs hardware token

The Mountain View workshop focused on cryptography, authentication and hardware tokens. It gathered 70 people, representing browser vendors, hardware token vendors, service providers, and consortiums such as the FIDO Alliance, Smart Card Alliance, GlobalPlatform, SIMAlliance. We discussed many contexts in which a hardware token would accelerate the security and trust around specific web applications, including e-government, e-banking and online payment authentication.

In addition to discussing the services that require trust, the principle of allowing browser-based applications to store sensitive data in a secure element (instead of their own software based memory) was appealing to most attendees. The workshop decided that a new charter would be defined publicly with the participants, in order to standardize hardware token usage on the web.

We will be following the development of these workstreams closely and will no doubt update in due course. We’re keen to hear your views – do you think the web needs a hardware token? Let us know on Twitter, or in the comments. You can also follow some of the conversation at the #cryptonext hashtag on Twitter.

My colleague Virginie Galindo attended the Mountain View event on behalf of Gemalto and contributed to this post.